Microsoft’s unified Defender for Identity sensor is GA: What DFIR teams should change today
Microsoft announced general availability of a unified Microsoft Defender for Identity sensor that correlates identity and endpoint telemetry across on‑premises Active Directory, Microsoft Entra ID, and even third‑party identity providers (e.g., Okta), improving incident correlation and enabling automatic attack disruption with richer identity context. The post also signals migration guidance for existing customers in the coming months. Microsoft Security Blog, 2025‑10‑23.
Why this matters to DFIR: identity evidence that used to be scattered (AD security events, Entra sign‑ins, endpoint logons) is now designed to land in one incident and one hunting surface (Defender XDR), with contain/disable actions tied directly to identity context. That reduces dwell time and speeds attribution and scoping. Microsoft Security Blog.